High level conclusions

Fuzzers reach 70.68% code coverage.

Fuzzers reach 76.72% of cyclomatic complexity.

Fuzzers reach 73.65% of all functions.

Reachability and coverage overview

Functions statically reachable by fuzzers

1834 / 2490

Cyclomatic complexity statically reachable by fuzzers

14504 / 18904

Runtime code coverage of functions

1760 / 2490

The following table shows data about each function in the project. The functions included in this table correspond to all functions that exist in the executables of the fuzzers. As such, there may be functions that are from third-party libraries.

For further technical details on the meaning of columns in the below table, please see the Glossary .

Func name	Functions filename	Args	Function call depth	Reached by Fuzzers	Runtime reached by Fuzzers	Combined reached by Fuzzers	Fuzzers runtime hit	Func lines hit %	I Count	BB Count	Cyclomatic complexity	Functions reached	Reached by functions	Accumulated cyclomatic complexity	Undiscovered complexity

Fuzzer: selabel_file_compiled-fuzzer

Call tree

The calltree shows the control flow of the fuzzer. This is overlaid with coverage information to display how much of the potential code a fuzzer can reach is in fact covered at runtime. In the following there is a link to a detailed calltree visualisation as well as a bitmap showing a high-level view of the calltree. For further information about these topics please see the glossary for full calltree and calltree overview

Call tree overview bitmap:

The distribution of callsites in terms of coloring is

Color	Runtime hitcount	Callsite count	Percentage
red	0	92	25.7%
gold	[1:9]	8	2.24%
yellow	[10:29]	5	1.40%
greenyellow	[30:49]	15	4.20%
lawngreen	50+	237	66.3%
All colors	357	100

Fuzz blockers

The followings are the branches where fuzzer fails to bypass.

Unique non-covered Complexity	Unique Reachable Complexities	Unique Reachable Functions	All non-covered Complexity	All Reachable Complexity	Function Name	Function Callsite	Blocked Branch
11	11	1 : View List ['file_kind_to_string']	93	216	spec_node_cmp	call site: 00231	/src/selinux/libselinux/src/label_file.c:2353
10	10	4 : View List ['pthread_mutex_lock', '__errno_location', 'fmt_stem', 'pthread_mutex_unlock']	10	10	spec_node_cmp	call site: 00246	/src/selinux/libselinux/src/label_file.c:2436
6	6	2 : View List ['__errno_location', 'munmap']	6	33	load_mmap	call site: 00140	/src/selinux/libselinux/src/label_file.c:1003
6	6	2 : View List ['statvfs64', 'set_selinuxmnt']	6	6	verify_selinuxmnt	call site: 00000	/src/selinux/libselinux/src/init.c:39
2	2	2 : View List ['strlen', 'free']	2	15	selabel_sub_key	call site: 00280	/src/selinux/libselinux/src/label_file.c:1388
2	2	1 : View List ['fclose']	2	2	convert_data	call site: 00015	/src/selinux/libselinux/fuzz/selabel_file_compiled-fuzzer.c:80
2	2	1 : View List ['fclose']	2	2	init_selinuxmnt	call site: 00000	/src/selinux/libselinux/src/init.c:128
2	2	1 : View List ['abort']	2	2	regex_format_error	call site: 00322	/src/selinux/libselinux/src/regex.c:601
0	0	None	257	380	spec_node_cmp	call site: 00199	/src/selinux/libselinux/src/label_file.c:2218
0	0	None	257	380	spec_node_cmp	call site: 00200	/src/selinux/libselinux/src/label_file.c:2228
0	0	None	257	380	spec_node_cmp	call site: 00206	/src/selinux/libselinux/src/label_file.c:2240
0	0	None	257	380	spec_node_cmp	call site: 00207	/src/selinux/libselinux/src/label_file.c:2250

Runtime coverage analysis

Covered functions

45

Functions that are reachable but not covered

46

Reachable functions

85

Percentage of reachable functions covered

45.88%

NB: The sum of covered functions and functions that are reachable but not covered need not be equal to Reachable functions . This is because the reachability analysis is an approximation and thus at runtime some functions may be covered that are not included in the reachability analysis. This is a limitation of our static analysis capabilities.

Function name	source code lines	source lines hit	percentage hit

Files reached

filename	functions hit
libselinux/fuzz/selabel_file_compiled-fuzzer.c	3
libselinux/src/callbacks.c	1
libselinux/src/label_file.c	24
libselinux/src/./label_file.h	5
/usr/include/x86_64-linux-gnu/bits/byteswap.h	3
libselinux/src/regex.c	9
libselinux/fuzz/../src/label_file.h	1

Fuzzer: selabel_file_text-fuzzer

Call tree

The calltree shows the control flow of the fuzzer. This is overlaid with coverage information to display how much of the potential code a fuzzer can reach is in fact covered at runtime. In the following there is a link to a detailed calltree visualisation as well as a bitmap showing a high-level view of the calltree. For further information about these topics please see the glossary for full calltree and calltree overview

Call tree overview bitmap:

The distribution of callsites in terms of coloring is

Color	Runtime hitcount	Callsite count	Percentage
red	0	107	36.8%
gold	[1:9]	3	1.03%
yellow	[10:29]	10	3.44%
greenyellow	[30:49]	6	2.06%
lawngreen	50+	164	56.5%
All colors	290	100

Fuzz blockers

The followings are the branches where fuzzer fails to bypass.

Unique non-covered Complexity	Unique Reachable Complexities	Unique Reachable Functions	All non-covered Complexity	All Reachable Complexity	Function Name	Function Callsite	Blocked Branch
16	16	3 : View List ['__errno_location', 'pthread_mutex_lock', 'pthread_mutex_unlock']	16	16	compat_validate	call site: 00100	/src/selinux/libselinux/src/matchpathcon.c:52
11	11	1 : View List ['file_kind_to_string']	93	216	spec_node_cmp	call site: 00184	/src/selinux/libselinux/src/label_file.c:2353
10	10	4 : View List ['pthread_mutex_lock', '__errno_location', 'fmt_stem', 'pthread_mutex_unlock']	10	10	spec_node_cmp	call site: 00199	/src/selinux/libselinux/src/label_file.c:2436
6	6	2 : View List ['statvfs64', 'set_selinuxmnt']	6	6	verify_selinuxmnt	call site: 00000	/src/selinux/libselinux/src/init.c:39
4	4	2 : View List ['pthread_mutex_lock', 'pthread_mutex_unlock']	10	10	insert_spec	call site: 00111	/src/selinux/libselinux/src/./label_file.h:660
2	2	2 : View List ['strlen', 'free']	2	15	selabel_sub_key	call site: 00233	/src/selinux/libselinux/src/label_file.c:1388
2	2	1 : View List ['__errno_location']	2	2	validate_context	call site: 00000	/src/selinux/libselinux/fuzz/selabel_file_compiled-fuzzer.c:29
2	2	1 : View List ['fclose']	2	2	convert_data	call site: 00013	/src/selinux/libselinux/fuzz/selabel_file_compiled-fuzzer.c:80
2	2	1 : View List ['fclose']	2	2	init_selinuxmnt	call site: 00000	/src/selinux/libselinux/src/init.c:128
2	2	1 : View List ['abort']	2	2	regex_format_error	call site: 00089	/src/selinux/libselinux/src/regex.c:601
0	0	None	257	380	spec_node_cmp	call site: 00152	/src/selinux/libselinux/src/label_file.c:2218
0	0	None	257	380	spec_node_cmp	call site: 00153	/src/selinux/libselinux/src/label_file.c:2228

Runtime coverage analysis

Covered functions

42

Functions that are reachable but not covered

37

Reachable functions

65

Percentage of reachable functions covered

43.08%

NB: The sum of covered functions and functions that are reachable but not covered need not be equal to Reachable functions . This is because the reachability analysis is an approximation and thus at runtime some functions may be covered that are not included in the reachability analysis. This is a limitation of our static analysis capabilities.

Function name	source code lines	source lines hit	percentage hit

Files reached

filename	functions hit
libselinux/fuzz/selabel_file_text-fuzzer.c	3
libselinux/src/callbacks.c	1
libselinux/src/label_file.c	17
libselinux/src/./label_file.h	9
libselinux/src/label_support.c	2
libselinux/src/regex.c	5
libselinux/src/matchpathcon.c	1
libselinux/src/label.c	1
libselinux/fuzz/../src/label_file.h	1

Fuzzer: checkpolicy-fuzzer

Call tree

The calltree shows the control flow of the fuzzer. This is overlaid with coverage information to display how much of the potential code a fuzzer can reach is in fact covered at runtime. In the following there is a link to a detailed calltree visualisation as well as a bitmap showing a high-level view of the calltree. For further information about these topics please see the glossary for full calltree and calltree overview

Call tree overview bitmap:

The distribution of callsites in terms of coloring is

Color	Runtime hitcount	Callsite count	Percentage
red	0	3483	74.3%
gold	[1:9]	197	4.20%
yellow	[10:29]	58	1.23%
greenyellow	[30:49]	21	0.44%
lawngreen	50+	928	19.7%
All colors	4687	100

Fuzz blockers

The followings are the branches where fuzzer fails to bypass.

Unique non-covered Complexity	Unique Reachable Complexities	Unique Reachable Functions	All non-covered Complexity	All Reachable Complexity	Function Name	Function Callsite	Blocked Branch
244	281	6 : View List ['queue_remove', 'yyerror2', 'free', 'parse_categories', 'ebitmap_cpy', 'hashtab_search']	244	376	parse_security_context	call site: 01523	/src/selinux/checkpolicy/policy_define.c:4740
96	188	7 : View List ['queue_remove', 'yyerror2', 'mls_add_or_check_level', 'parse_semantic_categories', 'mls_semantic_level_cpy', 'hashtab_search', 'yyerror']	96	188	define_user	call site: 01475	/src/selinux/checkpolicy/policy_define.c:4563
65	97	12 : View List ['yywarn', 'yyerror2', 'strchr', 'strtoul', 'inet_pton', 'ipv6_cidr_bits_to_mask', 'calloc', 'ipv6_apply_mask', 'insert_ipv6_node', 'ipv6_has_host_bits_set', '__errno_location', 'yyerror']	65	435	define_ipv6_cidr_node_context	call site: 01755	/src/selinux/checkpolicy/policy_define.c:5888
54	82	8 : View List ['yywarn', 'yyerror2', 'inet_pton', 'insert_ipv6_node', 'ipv6_has_host_bits_set', 'ipv6_is_mask_contiguous', 'malloc', 'yyerror']	54	425	define_ipv6_node_context	call site: 01728	/src/selinux/checkpolicy/policy_define.c:5812
52	84	10 : View List ['yywarn', 'yyerror2', 'strchr', 'strtoul', 'inet_pton', 'insert_ipv4_node', '__bswap_32', 'calloc', '__errno_location', 'yyerror']	52	422	define_ipv4_cidr_node_context	call site: 01707	/src/selinux/checkpolicy/policy_define.c:5640
46	74	7 : View List ['yywarn', 'yyerror2', 'inet_pton', 'insert_ipv4_node', '__bswap_32', 'malloc', 'yyerror']	46	417	define_ipv4_node_context	call site: 01684	/src/selinux/checkpolicy/policy_define.c:5564
32	53	2 : View List ['map_ebitmap', 'ebitmap_union']	32	139	role_set_expand	call site: 00265	/src/selinux/libsepol/src/expand.c:2487
16	42	4 : View List ['strcmp', 'yyerror2', 'malloc', 'yyerror']	16	380	define_port_context	call site: 01625	/src/selinux/checkpolicy/policy_define.c:5194
10	65	7 : View List ['yyerror2', 'yyerror', 'strcmp', 'context_destroy', 'malloc', 'strlen', 'hashtab_search']	10	408	define_genfs_context_helper	call site: 01793	/src/selinux/checkpolicy/policy_define.c:6019
4	26	5 : View List ['yyerror2', 'strcmp', 'malloc', 'strlen', 'yyerror']	4	364	define_ibendport_context	call site: 01657	/src/selinux/checkpolicy/policy_define.c:5392
4	10	2 : View List ['yyfatal', 'yyrealloc']	4	10	yy_get_next_buffer	call site: 00182	/src/selinux/checkpolicy/lex.yy.c:3093
2	73	5 : View List ['yyerror2', 'strcmp', 'context_destroy', 'malloc', 'yyerror']	2	744	define_netif_context	call site: 01670	/src/selinux/checkpolicy/policy_define.c:5470

Runtime coverage analysis

Covered functions

313

Functions that are reachable but not covered

603

Reachable functions

890

Percentage of reachable functions covered

32.25%

NB: The sum of covered functions and functions that are reachable but not covered need not be equal to Reachable functions . This is because the reachability analysis is an approximation and thus at runtime some functions may be covered that are not included in the reachability analysis. This is a limitation of our static analysis capabilities.

Function name	source code lines	source lines hit	percentage hit

Files reached

filename	functions hit
checkpolicy/fuzz/checkpolicy-fuzzer.c	4
libsepol/src/debug.c	1
libsepol/src/policydb.c	61
libsepol/src/symtab.c	4
libsepol/src/hashtab.c	6
libsepol/src/avrule_block.c	9
libsepol/src/conditional.c	22
libsepol/src/ebitmap.c	12
libsepol/src/mls.c	8
DESTDIR/usr/include/sepol/policydb/ebitmap.h	4
libsepol/src/avtab.c	11
libsepol/src/util.c	4
checkpolicy/queue.c	7
checkpolicy/lex.yy.c	18
checkpolicy/policy_define.c	106
checkpolicy/policy_scan.l	5
checkpolicy/y.tab.c	2
checkpolicy/module_compiler.c	40
libsepol/src/policydb_validate.c	71
libsepol/src/expand.c	59
DESTDIR/usr/include/sepol/policydb/mls_types.h	9
DESTDIR/usr/include/sepol/policydb/context.h	6
libsepol/src/constraint.c	2
libsepol/src/context.c	2
/usr/include/x86_64-linux-gnu/bits/byteswap.h	1
libsepol/src/polcaps.c	2
libsepol/src/link.c	35
libsepol/src/hierarchy.c	27
libsepol/src/assertion.c	17
libsepol/src/sidtab.c	3
libsepol/src/optimize.c	16
libsepol/src/kernel_to_common.c	41
libsepol/src/write.c	39
libsepol/src/services.c	1
libsepol/src/kernel_to_conf.c	75
libsepol/src/kernel_to_cil.c	76
libsepol/src/module_to_cil.c	71

Fuzzer: binpolicy-fuzzer

Call tree

The calltree shows the control flow of the fuzzer. This is overlaid with coverage information to display how much of the potential code a fuzzer can reach is in fact covered at runtime. In the following there is a link to a detailed calltree visualisation as well as a bitmap showing a high-level view of the calltree. For further information about these topics please see the glossary for full calltree and calltree overview

Call tree overview bitmap:

The distribution of callsites in terms of coloring is

Color	Runtime hitcount	Callsite count	Percentage
red	0	894	30.0%
gold	[1:9]	128	4.30%
yellow	[10:29]	100	3.36%
greenyellow	[30:49]	45	1.51%
lawngreen	50+	1805	60.7%
All colors	2972	100

Fuzz blockers

The followings are the branches where fuzzer fails to bypass.

Unique non-covered Complexity	Unique Reachable Complexities	Unique Reachable Functions	All non-covered Complexity	All Reachable Complexity	Function Name	Function Callsite	Blocked Branch
662	1113	8 : View List ['cond_node_map_bools', 'free', 'cond_node_copy', 'cond_normalize_expr', 'cond_node_search', 'cond_node_destroy', 'cond_avrule_list_copy', 'cond_node_create']	662	1113	cond_node_copy	call site: 02843	/src/selinux/libsepol/src/expand.c:2066
121	123	2 : View List ['expand_avtab', 'avtab_init']	127	293	avtab_write	call site: 01076	/src/selinux/libsepol/src/write.c:298
100	102	2 : View List ['expand_cond_av_list', 'avtab_init']	100	194	cond_write_av_list	call site: 01124	/src/selinux/libsepol/src/write.c:780
17	17	1 : View List ['validate_mls_semantic_cat']	17	17	validate_mls_semantic_level	call site: 00649	/src/selinux/libsepol/src/policydb_validate.c:642
3	85	3 : View List ['put_entry', 'avtab_reset_merged', 'avtab_write_item']	3	92	avtab_write	call site: 01104	/src/selinux/libsepol/src/write.c:331
2	2	1 : View List ['strdup']	14	2457	expand_module	call site: 02552	/src/selinux/libsepol/src/expand.c:3009
2	2	1 : View List ['strdup']	4	50	copy_neverallow	call site: 02802	/src/selinux/libsepol/src/expand.c:2677
2	2	1 : View List ['strdup']	2	39	policydb_filetrans_insert	call site: 00215	/src/selinux/libsepol/src/policydb.c:2659
2	2	2 : View List ['calloc', 'free']	2	26	copy_neverallow	call site: 02807	/src/selinux/libsepol/src/expand.c:2713
2	2	1 : View List ['calloc']	2	23	scope_write	call site: 01247	/src/selinux/libsepol/src/write.c:2170
2	2	1 : View List ['reallocarray']	2	2	strs_add_at_index	call site: 01399	/src/selinux/libsepol/src/kernel_to_common.c:173
2	2	1 : View List ['reallocarray']	2	2	type_vec_append	call site: 00802	/src/selinux/libsepol/src/optimize.c:61

Runtime coverage analysis

Covered functions

568

Functions that are reachable but not covered

129

Reachable functions

656

Percentage of reachable functions covered

80.34%

NB: The sum of covered functions and functions that are reachable but not covered need not be equal to Reachable functions . This is because the reachability analysis is an approximation and thus at runtime some functions may be covered that are not included in the reachability analysis. This is a limitation of our static analysis capabilities.

Function name	source code lines	source lines hit	percentage hit

Files reached

filename	functions hit
libsepol/fuzz/binpolicy-fuzzer.c	2
libsepol/src/debug.c	1
libsepol/src/policydb.c	87
libsepol/src/symtab.c	4
libsepol/src/hashtab.c	6
libsepol/src/avrule_block.c	8
libsepol/src/conditional.c	25
libsepol/src/ebitmap.c	13
libsepol/src/mls.c	7
DESTDIR/usr/include/sepol/policydb/ebitmap.h	4
libsepol/src/avtab.c	14
libsepol/src/util.c	4
libsepol/src/services.c	3
libsepol/src/./private.h	1
libsepol/src/policydb_validate.c	71
libsepol/src/expand.c	59
DESTDIR/usr/include/sepol/policydb/mls_types.h	9
libsepol/src/context.c	2
DESTDIR/usr/include/sepol/policydb/context.h	5
libsepol/src/polcaps.c	1
libsepol/src/sidtab.c	3
libsepol/src/optimize.c	16
libsepol/src/assertion.c	17
libsepol/src/hierarchy.c	27
libsepol/src/write.c	39
libsepol/src/kernel_to_conf.c	75
libsepol/src/kernel_to_common.c	41
libsepol/src/kernel_to_cil.c	76
libsepol/src/link.c	35
libsepol/src/constraint.c	2

Fuzzer: secilc-fuzzer

Call tree

The calltree shows the control flow of the fuzzer. This is overlaid with coverage information to display how much of the potential code a fuzzer can reach is in fact covered at runtime. In the following there is a link to a detailed calltree visualisation as well as a bitmap showing a high-level view of the calltree. For further information about these topics please see the glossary for full calltree and calltree overview

Call tree overview bitmap:

The distribution of callsites in terms of coloring is

Color	Runtime hitcount	Callsite count	Percentage
red	0	777	15.6%
gold	[1:9]	334	6.73%
yellow	[10:29]	140	2.82%
greenyellow	[30:49]	50	1.00%
lawngreen	50+	3660	73.7%
All colors	4961	100

Fuzz blockers

The followings are the branches where fuzzer fails to bypass.

Unique non-covered Complexity	Unique Reachable Complexities	Unique Reachable Functions	All non-covered Complexity	All Reachable Complexity	Function Name	Function Callsite	Blocked Branch
520	520	5 : View List ['cil_pirqcon_to_policydb', 'cil_iomemcon_to_policydb', 'cil_pcidevicecon_to_policydb', 'cil_ioportcon_to_policydb', 'cil_devicetreecon_to_policydb']	520	520	__cil_contexts_to_policydb	call site: 04220	/src/selinux/libsepol/src/../cil/src/cil_binary.c:4310
377	390	3 : View List ['put_entry', 'avrule_block_write', 'hashtab_map']	377	631	policydb_write	call site: 04678	/src/selinux/libsepol/src/write.c:2401
168	168	1 : View List ['check_assertion_extended_permissions']	168	168	check_assertion_avtab_match	call site: 04294	/src/selinux/libsepol/src/assertion.c:778
137	137	4 : View List ['mls_semantic_range_expand', 'mls_range_destroy.3328', 'mls_semantic_level_expand', 'mls_level_destroy.3332']	137	137	policydb_user_cache	call site: 04526	/src/selinux/libsepol/src/policydb.c:1021
121	123	2 : View List ['expand_avtab', 'avtab_init']	127	293	avtab_write	call site: 04679	/src/selinux/libsepol/src/write.c:298
110	110	1 : View List ['avrule_write_list']	110	117	cond_write_node	call site: 04726	/src/selinux/libsepol/src/write.c:851
100	102	2 : View List ['expand_cond_av_list', 'avtab_init']	100	194	cond_write_av_list	call site: 04727	/src/selinux/libsepol/src/write.c:780
39	39	1 : View List ['avtab_search_node_next']	39	46	avtab_write_item	call site: 04707	/src/selinux/libsepol/src/write.c:121
32	53	2 : View List ['map_ebitmap', 'ebitmap_union']	32	139	role_set_expand	call site: 04530	/src/selinux/libsepol/src/expand.c:2487
27	27	1 : View List ['ocontext_xen_free']	27	96	policydb_destroy	call site: 04586	/src/selinux/libsepol/src/policydb.c:1578
18	18	1 : View List ['role_set_write']	47	97	user_write	call site: 00000	/src/selinux/libsepol/src/write.c:1337
11	11	1 : View List ['cil_list_error']	11	11	cil_list_append	call site: 00458	/src/selinux/libsepol/src/../cil/src/cil_list.c:103

Runtime coverage analysis

Covered functions

1147

Functions that are reachable but not covered

116

Reachable functions

1154

Percentage of reachable functions covered

89.95%

NB: The sum of covered functions and functions that are reachable but not covered need not be equal to Reachable functions . This is because the reachability analysis is an approximation and thus at runtime some functions may be covered that are not included in the reachability analysis. This is a limitation of our static analysis capabilities.

Function name	source code lines	source lines hit	percentage hit

Files reached

filename	functions hit
libsepol/fuzz/secilc-fuzzer.c	2
libsepol/src/../cil/src/cil_log.c	5
libsepol/src/../cil/src/cil.c	111
libsepol/src/../cil/src/cil_mem.c	5
libsepol/src/../cil/src/cil_strpool.c	6
libsepol/src/hashtab.c	7
libsepol/src/../cil/src/cil_tree.c	13
libsepol/src/../cil/src/cil_symtab.c	13
libsepol/src/symtab.c	3
libsepol/src/../cil/src/cil_list.c	11
libsepol/src/../cil/src/cil_parser.c	7
libsepol/src/../cil/src/cil_stack.c	7
libsepol/src/../cil/src/cil_lexer.l	3
libsepol/src/../cil/src/cil_lexer.c	20
libsepol/src/../cil/src/cil_build_ast.c	202
libsepol/src/../cil/src/cil_verify.c	55
libsepol/src/ebitmap.c	16
libsepol/src/../cil/src/cil_copy_ast.c	4
libsepol/src/../cil/src/cil_resolve_ast.c	97
libsepol/src/../cil/src/cil_reset_ast.c	57
libsepol/src/../cil/src/cil_fqn.c	3
libsepol/src/../cil/src/cil_post.c	75
DESTDIR/usr/include/sepol/policydb/ebitmap.h	4
libsepol/src/../cil/src/cil_deny.c	41
libsepol/src/../cil/src/cil_find.c	16
libsepol/src/polcaps.c	1
libsepol/src/../cil/src/cil_binary.c	138
libsepol/src/policydb_public.c	7
libsepol/src/policydb.c	43
libsepol/src/avrule_block.c	6
libsepol/src/conditional.c	16
libsepol/src/mls.c	5
libsepol/src/avtab.c	11
libsepol/src/util.c	1
DESTDIR/usr/include/sepol/policydb/mls_types.h	8
libsepol/src/constraint.c	2
DESTDIR/usr/include/sepol/policydb/context.h	3
libsepol/src/assertion.c	10
libsepol/src/hierarchy.c	19
libsepol/src/expand.c	11
libsepol/src/optimize.c	16
libsepol/src/write.c	39
libsepol/src/services.c	1

Optimal target analysis

Remaining optimal interesting functions

The following table shows a list of functions that are optimal targets. Optimal targets are identified by finding the functions that in combination, yield a high code coverage.

Func name	Functions filename	Arg count	Args	Function depth	hitcount	instr count	bb count	cyclomatic complexity	Reachable functions	Incoming references	total cyclomatic complexity	Unreached complexity
cil_write_policy_conf	/src/selinux/libsepol/src/../cil/src/cil.c	2	['N/A', 'N/A']	16	0	21	3	2	203	0	896	375
cil_write_post_ast	/src/selinux/libsepol/src/../cil/src/cil.c	2	['N/A', 'N/A']	19	0	126	16	8	773	0	4803	290
selabel_file_init	/src/selinux/libselinux/src/label_file.c	3	['N/A', 'N/A', 'int']	6	0	89	8	4	35	0	310	253
selinux_file_context_verify	/src/selinux/libselinux/src/matchpathcon.c	2	['N/A', 'int']	8	0	162	28	11	52	0	244	212
sepol_get_user_sids	/src/selinux/libsepol/src/services.c	4	['int', 'N/A', 'N/A', 'N/A']	8	0	357	46	18	50	0	362	209
sepol_check_context	/src/selinux/libsepol/src/context.c	1	['N/A']	9	0	19	3	2	53	0	328	153
sepol_ppfile_to_module_package	/src/selinux/libsepol/src/module_to_cil.c	2	['N/A', 'N/A']	11	0	264	38	13	261	0	2161	143

Implementing fuzzers that target the above functions will improve reachability such that it becomes:

Functions statically reachable by fuzzers

2018 / 2490

Cyclomatic complexity statically reachable by fuzzers

16107 / 18904

All functions overview

If you implement fuzzers for these functions, the status of all functions in the project will be:

Func name	Functions filename	Args	Function call depth	Reached by Fuzzers	Runtime reached by Fuzzers	Combined reached by Fuzzers	Fuzzers runtime hit	Func lines hit %	I Count	BB Count	Cyclomatic complexity	Functions reached	Reached by functions	Accumulated cyclomatic complexity	Undiscovered complexity

This sections provides heuristics that can be used as input to a fuzz engine when running a given fuzz target. The current focus is on providing input that is usable by libFuzzer.

libselinux/fuzz/selabel_file_compiled-fuzzer.c

Dictionary

Use this with the libFuzzer -dict=DICT.file flag

Fuzzer function priority

Use one of these functions as input to libfuzzer with flag: -focus_function name

-focus_function=['spec_node_cmp', 'selabel_sub_key', 'load_mmap', 'regex_format_error', 'write_full', 'regex_load_mmap']

libselinux/fuzz/selabel_file_text-fuzzer.c

Dictionary

Use this with the libFuzzer -dict=DICT.file flag

Fuzzer function priority

Use one of these functions as input to libfuzzer with flag: -focus_function name

-focus_function=['spec_node_cmp', 'selabel_validate', 'insert_spec', 'selabel_sub_key', 'process_line', 'regex_format_error']

checkpolicy/fuzz/checkpolicy-fuzzer.c

Dictionary

Use this with the libFuzzer -dict=DICT.file flag

Fuzzer function priority

Use one of these functions as input to libfuzzer with flag: -focus_function name

-focus_function=['read_source_policy', 'define_genfs_context_helper', 'insert_separator', 'define_port_context', 'parse_security_context', 'define_ipv6_node_context', 'define_ipv6_cidr_node_context', 'define_user', 'define_devicetree_context', 'define_ipv4_node_context']

libsepol/fuzz/binpolicy-fuzzer.c

Dictionary

Use this with the libFuzzer -dict=DICT.file flag

Fuzzer function priority

Use one of these functions as input to libfuzzer with flag: -focus_function name

-focus_function=['prepare_base', 'check_assertion', 'policydb_write', 'cond_write_node', 'user_datum_destroy', 'copy_and_expand_avrule_block', 'constraint_expr_init', 'sepol_extended_perms_to_string', 'expand_range_trans']

libsepol/fuzz/secilc-fuzzer.c

Dictionary

Use this with the libFuzzer -dict=DICT.file flag

Fuzzer function priority

Use one of these functions as input to libfuzzer with flag: -focus_function name

-focus_function=['filename_write_one', 'check_assertion_self_match', 'policydb_write', '__cil_print_classperm', 'cond_write_node', 'role_set_expand', '__cil_avrulex_to_hashtable_helper', 'cil_yylex', 'ocontext_write_selinux', 'cil_ibendportcon_to_policydb']

This section shows analysis of runtime coverage data.

For futher technical details on how this section is generated, please see the Glossary .

Complex functions with low coverage

Func name	Function total lines	Lines covered at runtime	percentage covered	Reached by fuzzers
init_selinuxmnt	37	14	37.83%	['selabel_file_compiled-fuzzer', 'selabel_file_text-fuzzer']
spec_node_cmp	209	59	28.22%	['selabel_file_compiled-fuzzer', 'selabel_file_text-fuzzer']
regex_load_mmap	37	18	48.64%	['selabel_file_compiled-fuzzer']
regex_format_error	55	27	49.09%	['selabel_file_compiled-fuzzer', 'selabel_file_text-fuzzer']
define_policy	44	20	45.45%	['checkpolicy-fuzzer']
define_category	123	67	54.47%	['checkpolicy-fuzzer']
define_level	93	47	50.53%	['checkpolicy-fuzzer']
define_pirq_context	39	10	25.64%	['checkpolicy-fuzzer']
define_iomem_context	48	10	20.83%	['checkpolicy-fuzzer']
define_ioport_context	48	10	20.83%	['checkpolicy-fuzzer']
define_pcidevice_context	40	10	25.0%	['checkpolicy-fuzzer']
define_devicetree_context	44	11	25.0%	['checkpolicy-fuzzer']
define_port_context	77	14	18.18%	['checkpolicy-fuzzer']
define_ibendport_context	63	14	22.22%	['checkpolicy-fuzzer']
define_netif_context	50	12	24.0%	['checkpolicy-fuzzer']
define_ipv4_node_context	59	15	25.42%	['checkpolicy-fuzzer']
define_ipv4_cidr_node_context	64	16	25.0%	['checkpolicy-fuzzer']
define_ipv6_node_context	59	15	25.42%	['checkpolicy-fuzzer']
define_ipv6_cidr_node_context	62	15	24.19%	['checkpolicy-fuzzer']
define_fs_use	43	11	25.58%	['checkpolicy-fuzzer']
avrule_sort_xperms	40	20	50.0%	['checkpolicy-fuzzer']
parse_semantic_categories	44	12	27.27%	['checkpolicy-fuzzer']
define_genfs_context_helper	128	19	14.84%	['checkpolicy-fuzzer']
roles_init	32	16	50.0%	['checkpolicy-fuzzer', 'secilc-fuzzer', 'binpolicy-fuzzer']
expand_module	174	90	51.72%	['checkpolicy-fuzzer', 'binpolicy-fuzzer']
expand_rule_helper	40	7	17.5%	['checkpolicy-fuzzer', 'binpolicy-fuzzer']
copy_role_trans	77	23	29.87%	['checkpolicy-fuzzer', 'binpolicy-fuzzer']
expand_filename_trans	42	10	23.80%	['checkpolicy-fuzzer', 'binpolicy-fuzzer']
expand_range_trans	41	20	48.78%	['checkpolicy-fuzzer', 'binpolicy-fuzzer']
copy_neverallow	79	31	39.24%	['checkpolicy-fuzzer', 'binpolicy-fuzzer']
cond_node_copy	46	5	10.86%	['checkpolicy-fuzzer', 'binpolicy-fuzzer']
discard_tunables	66	17	25.75%	['checkpolicy-fuzzer', 'binpolicy-fuzzer']
attr_convert_callback	31	13	41.93%	['checkpolicy-fuzzer', 'binpolicy-fuzzer']
class_copy_callback	71	11	15.49%	['checkpolicy-fuzzer', 'binpolicy-fuzzer']
role_copy_callback	67	17	25.37%	['checkpolicy-fuzzer', 'binpolicy-fuzzer']
sens_copy_callback	42	7	16.66%	['checkpolicy-fuzzer', 'binpolicy-fuzzer']
cats_copy_callback	31	7	22.58%	['checkpolicy-fuzzer', 'binpolicy-fuzzer']
user_copy_callback	95	13	13.68%	['checkpolicy-fuzzer', 'binpolicy-fuzzer']
role_fix_callback	47	13	27.65%	['checkpolicy-fuzzer', 'binpolicy-fuzzer']
ocontext_copy_selinux	88	9	10.22%	['checkpolicy-fuzzer', 'binpolicy-fuzzer']
genfs_copy	47	20	42.55%	['checkpolicy-fuzzer', 'binpolicy-fuzzer']
sepol_kernel_policydb_to_cil	221	119	53.84%	['checkpolicy-fuzzer', 'binpolicy-fuzzer']
constraint_expr_to_str	133	64	48.12%	['checkpolicy-fuzzer', 'binpolicy-fuzzer']
write_type_neveraudit_rules_to_cil	33	17	51.51%	['checkpolicy-fuzzer', 'binpolicy-fuzzer']
cond_expr_to_str	78	39	50.0%	['checkpolicy-fuzzer', 'binpolicy-fuzzer']
write_genfscon_rules_to_cil	67	21	31.34%	['checkpolicy-fuzzer', 'binpolicy-fuzzer']
write_selinux_port_rules_to_cil	45	14	31.11%	['checkpolicy-fuzzer', 'binpolicy-fuzzer']
write_selinux_node_rules_to_cil	31	11	35.48%	['checkpolicy-fuzzer', 'binpolicy-fuzzer']
write_xen_ioport_rules_to_cil	34	13	38.23%	['checkpolicy-fuzzer', 'binpolicy-fuzzer']
write_xen_iomem_rules_to_cil	34	13	38.23%	['checkpolicy-fuzzer', 'binpolicy-fuzzer']
sepol_kernel_policydb_to_conf	226	122	53.98%	['checkpolicy-fuzzer', 'binpolicy-fuzzer']
write_type_neveraudit_rules_to_conf	33	17	51.51%	['checkpolicy-fuzzer', 'binpolicy-fuzzer']
write_genfscon_rules_to_conf	67	21	31.34%	['checkpolicy-fuzzer', 'binpolicy-fuzzer']
write_selinux_port_rules_to_conf	45	14	31.11%	['checkpolicy-fuzzer', 'binpolicy-fuzzer']
write_selinux_node_rules_to_conf	31	11	35.48%	['checkpolicy-fuzzer', 'binpolicy-fuzzer']
write_xen_iomem_rules_to_conf	34	13	38.23%	['checkpolicy-fuzzer', 'binpolicy-fuzzer']
write_xen_ioport_rules_to_conf	34	13	38.23%	['checkpolicy-fuzzer', 'binpolicy-fuzzer']
link_modules	90	31	34.44%	['checkpolicy-fuzzer', 'binpolicy-fuzzer']
is_decl_requires_met	64	23	35.93%	['checkpolicy-fuzzer', 'binpolicy-fuzzer']
expand_role_attributes	33	12	36.36%	['checkpolicy-fuzzer', 'binpolicy-fuzzer']
avtab_write	56	26	46.42%	['checkpolicy-fuzzer', 'secilc-fuzzer', 'binpolicy-fuzzer']
avtab_write_item	141	40	28.36%	['checkpolicy-fuzzer', 'secilc-fuzzer', 'binpolicy-fuzzer']
avrule_write	84	26	30.95%	['checkpolicy-fuzzer', 'secilc-fuzzer', 'binpolicy-fuzzer']
filename_trans_rule_write	42	12	28.57%	['checkpolicy-fuzzer', 'secilc-fuzzer', 'binpolicy-fuzzer']
ocontext_write_xen	104	15	14.42%	['checkpolicy-fuzzer', 'secilc-fuzzer', 'binpolicy-fuzzer']
cil_avrulex_to_hashtable	131	31	23.66%	['secilc-fuzzer']
__cil_contexts_to_policydb	56	25	44.64%	['secilc-fuzzer']
cil_check_neverallow	81	43	53.08%	['secilc-fuzzer']
__cil_verify_booleanif_helper	53	23	43.39%	['secilc-fuzzer']
__cil_verify_user_pre_eval	33	15	45.45%	['secilc-fuzzer']

This section shows which files and directories are considered in this report. The main reason for showing this is fuzz introspector may include more code in the reasoning than is desired. This section helps identify if too many files/directories are included, e.g. third party code, which may be irrelevant for the threat model. In the event too much is included, fuzz introspector supports a configuration file that can exclude data from the report. See the following link for more information on how to create a config file: link

Files in report

Source file	Reached by	Covered by
	[]	[]
/src/selinux/libselinux/src/canonicalize_context.c	[]	[]
/src/selinux/libsepol/src/services.c	['checkpolicy-fuzzer', 'binpolicy-fuzzer', 'secilc-fuzzer']	['binpolicy-fuzzer', 'secilc-fuzzer']
/src/selinux/libsepol/src/../cil/src/cil_policy.c	[]	[]
/src/selinux/libsepol/src/../cil/src/cil_mem.c	['secilc-fuzzer']	[]
/src/selinux/libsepol/src/policydb_validate.c	['checkpolicy-fuzzer', 'binpolicy-fuzzer']	['checkpolicy-fuzzer', 'binpolicy-fuzzer']
/src/selinux/libselinux/src/seusers.c	[]	[]
/usr/include/x86_64-linux-gnu/bits/byteswap.h	['selabel_file_compiled-fuzzer', 'checkpolicy-fuzzer']	[]
/src/selinux/libsepol/src/write.c	['checkpolicy-fuzzer', 'binpolicy-fuzzer', 'secilc-fuzzer']	['binpolicy-fuzzer', 'secilc-fuzzer']
/src/selinux/libsepol/fuzz/secilc-fuzzer.c	['secilc-fuzzer']	['secilc-fuzzer']
/src/selinux/libsepol/src/../cil/src/cil_parser.c	['secilc-fuzzer']	[]
/src/selinux/libsepol/src/../cil/src/cil_lexer.c	['secilc-fuzzer']	[]
/src/selinux/libselinux/src/init.c	[]	[]
/src/selinux/libselinux/src/label.c	['selabel_file_text-fuzzer']	['selabel_file_text-fuzzer']
/src/selinux/libselinux/src/selinux_internal.c	[]	[]
/src/selinux/libsepol/src/constraint.c	['checkpolicy-fuzzer', 'binpolicy-fuzzer', 'secilc-fuzzer']	['checkpolicy-fuzzer', 'binpolicy-fuzzer', 'secilc-fuzzer']
/src/selinux/libselinux/src/lsetfilecon.c	[]	[]
/src/selinux/libsepol/src/../cil/src/cil_fqn.c	['secilc-fuzzer']	[]
/src/selinux/libselinux/src/label_media.c	[]	[]
/src/selinux/libsepol/src/../cil/src/cil_lexer.l	['secilc-fuzzer']	[]
/src/selinux/libsepol/src/assertion.c	['checkpolicy-fuzzer', 'binpolicy-fuzzer', 'secilc-fuzzer']	['binpolicy-fuzzer', 'secilc-fuzzer']
/src/selinux/libsepol/src/../cil/src/cil_deny.c	['secilc-fuzzer']	[]
/src/selinux/libsepol/src/symtab.c	['checkpolicy-fuzzer', 'binpolicy-fuzzer', 'secilc-fuzzer']	['checkpolicy-fuzzer', 'binpolicy-fuzzer', 'secilc-fuzzer']
/src/selinux/checkpolicy/y.tab.c	['checkpolicy-fuzzer']	['checkpolicy-fuzzer']
/src/selinux/libsepol/src/debug.c	['checkpolicy-fuzzer', 'binpolicy-fuzzer']	['checkpolicy-fuzzer', 'binpolicy-fuzzer']
/src/selinux/libselinux/src/lgetfilecon.c	[]	[]
/src/selinux/libsepol/src/policydb_convert.c	[]	[]
/src/selinux/libselinux/src/matchpathcon.c	['selabel_file_text-fuzzer']	['selabel_file_text-fuzzer']
/src/selinux/libselinux/src/label_db.c	[]	[]
/src/selinux/libsepol/src/optimize.c	['checkpolicy-fuzzer', 'binpolicy-fuzzer', 'secilc-fuzzer']	['binpolicy-fuzzer', 'secilc-fuzzer']
/src/selinux/libsepol/src/kernel_to_common.c	['checkpolicy-fuzzer', 'binpolicy-fuzzer']	['binpolicy-fuzzer']
/src/selinux/libsepol/src/../cil/src/cil_stack.c	['secilc-fuzzer']	[]
/src/selinux/checkpolicy/policy_define.c	['checkpolicy-fuzzer']	['checkpolicy-fuzzer']
/src/selinux/libsepol/src/../cil/src/cil_resolve_ast.c	['secilc-fuzzer']	[]
/src/selinux/libsepol/src/kernel_to_conf.c	['checkpolicy-fuzzer', 'binpolicy-fuzzer']	['binpolicy-fuzzer']
/src/selinux/DESTDIR/usr/include/sepol/policydb/context.h	['checkpolicy-fuzzer', 'binpolicy-fuzzer', 'secilc-fuzzer']	['checkpolicy-fuzzer', 'binpolicy-fuzzer', 'secilc-fuzzer']
/src/selinux/libselinux/src/regex.c	['selabel_file_compiled-fuzzer', 'selabel_file_text-fuzzer']	['selabel_file_compiled-fuzzer', 'selabel_file_text-fuzzer']
/src/selinux/libselinux/src/sha1.c	[]	[]
/src/selinux/libsepol/src/../cil/src/cil_tree.c	['secilc-fuzzer']	[]
/src/selinux/libsepol/fuzz/binpolicy-fuzzer.c	['binpolicy-fuzzer']	['binpolicy-fuzzer']
/src/selinux/libsepol/src/../cil/src/cil_build_ast.c	['secilc-fuzzer']	[]
/src/selinux/libsepol/src/../cil/src/cil_write_ast.c	[]	[]
/src/selinux/libsepol/src/../cil/src/cil_copy_ast.c	['secilc-fuzzer']	[]
/src/selinux/libsepol/src/context.c	['checkpolicy-fuzzer', 'binpolicy-fuzzer']	['checkpolicy-fuzzer', 'binpolicy-fuzzer']
/src/selinux/checkpolicy/policy_scan.l	['checkpolicy-fuzzer']	['checkpolicy-fuzzer']
/src/selinux/checkpolicy/parse_util.c	[]	[]
/src/selinux/libselinux/src/freecon.c	[]	[]
/src/selinux/libsepol/src/avrule_block.c	['checkpolicy-fuzzer', 'binpolicy-fuzzer', 'secilc-fuzzer']	['checkpolicy-fuzzer', 'binpolicy-fuzzer', 'secilc-fuzzer']
/src/selinux/libsepol/src/./private.h	['binpolicy-fuzzer']	[]
/src/selinux/libsepol/src/context_record.c	[]	[]
/src/selinux/libselinux/src/label_x.c	[]	[]
/src/selinux/libselinux/src/label_file.c	['selabel_file_compiled-fuzzer', 'selabel_file_text-fuzzer']	['selabel_file_compiled-fuzzer', 'selabel_file_text-fuzzer']
/src/selinux/libsepol/src/mls.c	['checkpolicy-fuzzer', 'binpolicy-fuzzer', 'secilc-fuzzer']	['checkpolicy-fuzzer', 'binpolicy-fuzzer', 'secilc-fuzzer']
/src/selinux/libselinux/src/label_support.c	['selabel_file_text-fuzzer']	['selabel_file_text-fuzzer']
/src/selinux/libsepol/src/ebitmap.c	['checkpolicy-fuzzer', 'binpolicy-fuzzer', 'secilc-fuzzer']	['checkpolicy-fuzzer', 'binpolicy-fuzzer', 'secilc-fuzzer']
/src/selinux/libsepol/src/../cil/src/cil_find.c	['secilc-fuzzer']	[]
/src/selinux/libsepol/src/../cil/src/cil_log.c	['secilc-fuzzer']	[]
/src/selinux/libsepol/src/hierarchy.c	['checkpolicy-fuzzer', 'binpolicy-fuzzer', 'secilc-fuzzer']	['binpolicy-fuzzer', 'secilc-fuzzer']
/src/selinux/libsepol/src/../cil/src/cil_verify.c	['secilc-fuzzer']	[]
/src/selinux/checkpolicy/lex.yy.c	['checkpolicy-fuzzer']	['checkpolicy-fuzzer']
/src/selinux/libselinux/src/check_context.c	[]	[]
/src/selinux/DESTDIR/usr/include/sepol/policydb/mls_types.h	['checkpolicy-fuzzer', 'binpolicy-fuzzer', 'secilc-fuzzer']	['checkpolicy-fuzzer', 'binpolicy-fuzzer', 'secilc-fuzzer']
/src/selinux/libsepol/src/policydb_public.c	['secilc-fuzzer']	['secilc-fuzzer']
/src/selinux/libsepol/src/../cil/src/cil_reset_ast.c	['secilc-fuzzer']	[]
/src/selinux/checkpolicy/module_compiler.c	['checkpolicy-fuzzer']	['checkpolicy-fuzzer']
/src/selinux/libselinux/src/policyvers.c	[]	[]
/src/selinux/libselinux/src/setrans_client.c	[]	[]
/src/selinux/libselinux/src/selinux_config.c	[]	[]
/src/selinux/libselinux/src/enabled.c	[]	[]
/src/selinux/checkpolicy/fuzz/checkpolicy-fuzzer.c	['checkpolicy-fuzzer']	['checkpolicy-fuzzer']
/src/selinux/libsepol/src/conditional.c	['checkpolicy-fuzzer', 'binpolicy-fuzzer', 'secilc-fuzzer']	['checkpolicy-fuzzer', 'binpolicy-fuzzer', 'secilc-fuzzer']
/src/selinux/libselinux/src/./selinux_internal.h	[]	[]
/src/selinux/checkpolicy/queue.c	['checkpolicy-fuzzer']	['checkpolicy-fuzzer']
/src/selinux/libsepol/src/util.c	['checkpolicy-fuzzer', 'binpolicy-fuzzer', 'secilc-fuzzer']	['checkpolicy-fuzzer', 'binpolicy-fuzzer', 'secilc-fuzzer']
/src/selinux/libselinux/src/./label_file.h	['selabel_file_compiled-fuzzer', 'selabel_file_text-fuzzer']	[]
/src/selinux/DESTDIR/usr/include/sepol/policydb/ebitmap.h	['checkpolicy-fuzzer', 'binpolicy-fuzzer', 'secilc-fuzzer']	['checkpolicy-fuzzer', 'binpolicy-fuzzer', 'secilc-fuzzer']
/src/selinux/libsepol/src/../cil/src/cil_list.c	['secilc-fuzzer']	[]
/src/selinux/libsepol/src/polcaps.c	['checkpolicy-fuzzer', 'binpolicy-fuzzer', 'secilc-fuzzer']	['checkpolicy-fuzzer', 'binpolicy-fuzzer', 'secilc-fuzzer']
/src/selinux/libsepol/src/../cil/src/cil_post.c	['secilc-fuzzer']	[]
/src/selinux/libsepol/src/policydb.c	['checkpolicy-fuzzer', 'binpolicy-fuzzer', 'secilc-fuzzer']	['checkpolicy-fuzzer', 'binpolicy-fuzzer', 'secilc-fuzzer']
/src/selinux/libsepol/src/kernel_to_cil.c	['checkpolicy-fuzzer', 'binpolicy-fuzzer']	['binpolicy-fuzzer']
/src/selinux/libsepol/src/../cil/src/cil_binary.c	['secilc-fuzzer']	[]
/usr/include/x86_64-linux-gnu/bits/uintn-identity.h	[]	[]
/src/selinux/libsepol/src/module.c	[]	[]
/src/selinux/libsepol/src/module_to_cil.c	['checkpolicy-fuzzer']	['checkpolicy-fuzzer']
/src/selinux/libsepol/src/avtab.c	['checkpolicy-fuzzer', 'binpolicy-fuzzer', 'secilc-fuzzer']	['checkpolicy-fuzzer', 'binpolicy-fuzzer', 'secilc-fuzzer']
/src/selinux/libsepol/src/sidtab.c	['checkpolicy-fuzzer', 'binpolicy-fuzzer']	['checkpolicy-fuzzer', 'binpolicy-fuzzer']
/src/selinux/libsepol/src/hashtab.c	['checkpolicy-fuzzer', 'binpolicy-fuzzer', 'secilc-fuzzer']	['checkpolicy-fuzzer', 'binpolicy-fuzzer', 'secilc-fuzzer']
/src/selinux/libsepol/src/link.c	['checkpolicy-fuzzer', 'binpolicy-fuzzer']	['binpolicy-fuzzer']
/src/selinux/libsepol/src/../cil/src/cil_strpool.c	['secilc-fuzzer']	[]
/src/selinux/libsepol/src/../cil/src/cil.c	['secilc-fuzzer']	[]
/src/selinux/libselinux/fuzz/selabel_file_compiled-fuzzer.c	['selabel_file_compiled-fuzzer']	['selabel_file_compiled-fuzzer']
/src/selinux/libselinux/fuzz/selabel_file_text-fuzzer.c	['selabel_file_text-fuzzer']	['selabel_file_text-fuzzer']
/src/selinux/libselinux/src/callbacks.c	['selabel_file_compiled-fuzzer', 'selabel_file_text-fuzzer']	['selabel_file_compiled-fuzzer', 'selabel_file_text-fuzzer']
/src/selinux/libsepol/src/expand.c	['checkpolicy-fuzzer', 'binpolicy-fuzzer', 'secilc-fuzzer']	['checkpolicy-fuzzer', 'binpolicy-fuzzer', 'secilc-fuzzer']
/src/selinux/libsepol/src/../cil/src/cil_symtab.c	['secilc-fuzzer']	[]

Directories in report

Directory
/src/selinux/libsepol/fuzz/
/src/selinux/libselinux/fuzz/
/src/selinux/libselinux/src/
/src/selinux/libsepol/src/./
/src/selinux/libsepol/src/../cil/src/
/src/selinux/checkpolicy/
/src/selinux/checkpolicy/fuzz/
/src/selinux/DESTDIR/usr/include/sepol/policydb/
/src/selinux/libselinux/src/./
/src/selinux/libsepol/src/
/usr/include/x86_64-linux-gnu/bits/